Back to skill

Security audit

Instant DB

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for InstantDB administration, but it can change or delete live database data with an admin token and does not document enough safeguards.

Install only if you intend to let an agent administer an InstantDB app. Use a non-production or least-privilege token where possible, keep the admin token out of logs and shell history, require explicit confirmation before writes or deletes, verify backups for destructive workflows, and update/pin ws to a patched version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documents use of environment variables for an InstantDB admin token but does not declare corresponding permissions or access expectations. This creates a transparency and governance gap: an agent may be given powerful database credentials without clear review boundaries, increasing the chance of unauthorized reads, writes, or destructive actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger text is broad enough that an agent could invoke this skill whenever a task mentions real-time updates, syncing, or entity operations, even when database mutation is unnecessary or unsafe. Because this skill performs privileged InstantDB admin actions, ambiguous routing increases the chance of unintended use of destructive capabilities in the wrong context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README documents delete operations and other destructive admin capabilities without warning about confirmation, authorization, backups, or production impact. In an agentic context, this omission can normalize unsafe execution patterns and lead to accidental or unauthorized data loss, especially since the skill is designed for live database administration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to set an admin token and immediately demonstrates live admin operations, but it does not warn that these credentials grant powerful write/delete access to production data. In this skill's context, exposing privileged setup and execution patterns without safeguards makes misuse more dangerous because the same skill can perform broad real-time administrative actions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger language is very broad, causing the skill to activate for generic references to real-time updates, database sync, or entity operations. Because this skill enables admin-level database mutation and subscriptions, ambiguous routing can invoke it in contexts where destructive operations were not intended or sufficiently reviewed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises create, update, delete, link/unlink, and transaction capabilities but provides no user-facing warning that these are destructive admin operations. In an agent setting, this increases the risk of accidental data loss, unauthorized state changes, or irreversible relationship mutations, especially when paired with broad triggers and admin credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions tell users to export an InstantDB admin token without emphasizing that it is a highly sensitive secret with full administrative power. This normalizes unsafe handling of credentials and can lead to token leakage through shell history, logs, screenshots, shared terminals, or reuse in insecure environments.

Missing User Warnings

High
Confidence
80% confidence
Finding
The cascade delete example demonstrates irreversible multi-entity deletion across related records without any warning, guardrails, or verification steps. In an admin-oriented InstantDB skill, this can normalize unsafe destructive operations and increase the chance that an agent or developer copies the pattern into production workflows, causing accidental large-scale data loss.

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@instantdb/admin": "^0.14.0",
    "ws": "^8.18.0"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
95% confidence
Finding
"ws": "^8.18.0"

Known Vulnerable Dependency: ws==8.18.0 — 2 advisory(ies): CVE-2026-45736 (ws: Uninitialized memory disclosure); CVE-2026-48779 (ws: Memory exhaustion DoS from tiny fragments and data chunks)

High
Category
Supply Chain
Confidence
99% confidence
Finding
ws==8.18.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.